|
Nmap Development
mailing list archives
Re: Nmap Service Detection Proposal
From: Paul Tod Rieger <prie () abl com>
Date: Tue, 29 Aug 2000 02:13:19 -0400
In support of the need for service detection,
http://www.sunworld.com/sunworldonline/swol-08-2000/swol-0818-unixsecurity.html
points out that, in order to bypass those "pesky" corporate
firewalls, "developers are more and more frequently building
applications that run via port assignments that are well known
and commonly used -- the HTTP and HTTPS ports (80 and 443,
respectively)."
Back to the subject: Fyodor <fyodor () insecure org> proposed:
that the nmap-service-magic file contains a list of "probes". Each probe
contains the following information:
1) A list of common ports for the services detected by the probe (for
implementation optimization only -- an open port will first be tested
with probes that list that port number).
2) A string to be sent to the port right after connection establishment
(if TCP). The string can include escaped binary chars.
3) A list of (case insensitive) regular expressions to match against the
response and the protocol name the regexp relates to. The regexps. can
contain escaped binary chars as well.
and gave an example of the nmap-service-magic file grammer:
# The catch-all HTTP probe (which leads to distinctive error msgs from
# many services
Probe TCP=21,22,23,25,80,110,118,1080,8080 SEND="GET / HTTP/1.0\r\n\r\n"
ftp 220.*ftp
pop3 +OK
ssh ssh-
smtp smtp
nntp posting ok
http http/1
# Probe X11. I made up the hext values, presumably they would
# correspond to xome sort of X request
PROBE TCP=6000-6010 SEND="\x32\x28\x14\x29\x71\xB4"
x11 \x31\x72\x98
and in XML as well. All of this looks good to me, but, of course,
I have a couple of questions:
a) "an open port will first be tested" -- does this mean a port may
be tested multiple times? Will this be stealthy? For instance, if
port 21 really is FTP but wrapped under tcpd, multiple tests won't
be able to identify it -- and they might look like aggressive/lame
cracking attempts. (Also, tcpd may slow down response times even
when connections are permitted....)
Instead, if the service can't be identified from a single test,
maybe it could just be flagged for closer inspection by the user.
b) for ftp, pop3, ssh, and smtp -- if nmap grabs the line that
contains the regexp match, aren't chances pretty good that you also
have the product & version? (Also, your "220.*ftp" seems to take
care of Saurik's concerns re: uniquely identifying FTP....)
Tod
abl.com
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
 By Date 
By Thread
Current thread:
|
Intro
